Google deploys Gemini to raise the cost of ad fraud, but adversary adaptation remains the defining challenge
Google is expanding its use of Gemini AI models to detect and block malicious ads across its advertising platforms as threat actors refine evasion techniques. This represents an incremental defensive improvement in an ongoing arms race rather than a structural shift in ad ecosystem security.
Affected
Google's expansion of Gemini AI to combat malicious advertising reflects the intensifying sophistication of ad-based attack campaigns. Threat actors have moved beyond simple phishing redirects to deploy credential harvesters, malware delivery infrastructure, and investment scams directly through the ad ecosystem. By routing detection through large language models trained on patterns of fraudulent creative, landing pages, and behavioural signals, Google gains the ability to recognise more context-dependent abuse than signature-based or heuristic filters alone.
However, this announcement should be contextualised within the inherent limitations of platform-scale AI detection. Malicious ad campaigns operate on margins that allow for continuous iteration. A scammer ejected from one advertiser account can regenerate credentials and campaigns faster than detection systems can update models. Gemini may raise friction and cost, but financial motivation remains intact. The framing of AI as a solution to ad fraud risks overstating its impact: detection is a game of partial observability, and sophisticated threat actors exploit the training-deployment gap, seasonal patterns, and geographic targeting to stay ahead of model updates.
Google's approach also highlights an asymmetry in the ad ecosystem. Google controls the detection infrastructure, budget enforcement, and approval pipelines, yet malicious actors operate in the gaps between real-time detection cycles and the sheer volume of creative variants processed daily. Gemini may excel at flagging obvious patterns, but adversaries with resources invest in evading specific detection signatures. The true measure of success is not the volume of ads blocked, but the sustained cost imposed on threat actors relative to their revenue. Without transparency into false negative rates, adversary adaptation timelines, or account recovery patterns, it is difficult to assess whether this investment materially changes outcomes.
Defenders relying on Google's ad networks should recognise that platform-level filtering is a filter, not a firewall. Organisations should implement independent URL reputation checks, enforce browser security policies that block redirect chains, and educate users about sponsored result provenance. Security teams should also monitor for abuse patterns that slip through: credential harvesting campaigns, investment scams, and malware redirects often succeed because they exploit trust in platform curation rather than technical bypasses. Google's expanded tooling is worthwhile, but it should not displace client-side and organisational vigilance.
Sources